diff --git a/CHANGELOG b/CHANGELOG
index 8423700..538acf2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,9 +3,12 @@ NEXT:	Records created by Crypt::PWSafe3 (eg. the ones fetched
 	object, so that you can modify them directly and call
 	$vault->save afterwards without using $vault->modifyrecord.
 
+        erase passwd from memory using zeros instead of
+        random bytes. fixes github#9.
+
 1.21:
 	forgot to load File::Spec
-	
+
 1.20:
 	applied another patch by David Dick: writing tmp files in
 	the same directory where the vault file resides (unless it's
@@ -14,7 +17,7 @@ NEXT:	Records created by Crypt::PWSafe3 (eg. the ones fetched
 1.19:
 	applied patch by David Dick, which adds some more precautions
 	of i/o error handling and flushing.
-	
+
 1.17:
 	added license to META
 
diff --git a/lib/Crypt/PWSafe3.pm b/lib/Crypt/PWSafe3.pm
index 1bab08b..a49e2e7 100644
--- a/lib/Crypt/PWSafe3.pm
+++ b/lib/Crypt/PWSafe3.pm
@@ -153,7 +153,7 @@ sub stretchpw {
     $sha->add( ( $stretched) );
     $stretched = $sha->digest();
   }
-  $passwd = $this->random(64);
+  $passwd = 0 x 64;
   return $stretched;
 }